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} About Security Rese... X 


Microsoft 






Security Research & Defense 


Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guida 


TechNet Blogs > Security Research & Defense > About Security Research & Defense 
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Greg Wroblewski Bio : Greg Wroblewski, Senior Security Software Engineer, drives technical side of the 


security response process at Microsoft. His experience at breaking things started at the age of three, 
when he successfully broke a power outlet. Surviving this achievement he decided to move his attention 
towards low voltage devices. Guided by his parents, he eventually settled on software breaking and 
protecting techniques. Currently as a member of the MSRC Engineering team he is well known for alway< 
keeping his development environment updated with newest malware available. Since the time of the 
WMF vulnerability outbreak, he now keeps his office equipped with a reasonable amount of water, MREs 
and fire logs. Always prepared to keep customers secure. 
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Source Code Fix Challenges 
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® Lack of Resources 

■ 3rd Party Code 
Outsourced Code 

■ Insufficient Technical Skill 

■ Insufficient Contract Scope 

■ Cost is Too High 


Source: OWASP Web Application Virtual Patching Survey 
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WAIT FO R IT 

.Wait for it. 
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CredU °f rd PrOCeSS ° r; BCIA site downed as Anonymous claims attack 

,50K Cards Cnmnmmisad J 


















A security policy enforcement layer 
which prevents the exploitation of a 
known vulnerability. 


Virtual Patching Definition 
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ModSecurity as Virtual Patching Tool 


Ff 


Mature, well tested WAF module 

- Project is 10 years old 

- Protecting millions of websites 

- >275k source code downloads 


modsecurity 

Open Source Web Application Firewall 


Rich feature set, spanning both mitigation and 
audit 

Significant community support 

Non-viral open source license 

OWASP Core Rule Set providing general 
protection 
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Server Platform Marketshare 
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Source: Netcraft: July 2012 Web Server Survey 
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httpd.conf: 

Include modsecurity.conf 


# Prevent path traversal (..) attacks 
SecRule REQUEST_URI |ARGS "\.\./" 


# Prevent XSS atacks (HTML/Javascript 
injection) 

SecRule REQUEST URI|ARGS "<(.|\n)+> M 


# Very crude filters to prevent SQL 
injection attacks 

SecRule REQUESTJJRI|ARGS 
"delete[[:space:]]+from" 

SecRule REQUESTJJRI|ARGS 
"insert[[:space:]]+into" 

SecRule REQUESTJJRI|ARGS "select.+from' 


nginx.conf: 

ModSecurityConfig modsecurity.conf 
ModSecurityEnable On 


internet information services 
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ModSecurity IIS 


CD 


Select Installation Folder 


modsecurity 


The installer will install ModSecurity IIS to the following folder. 

To install in this folder, click "Next". To install to a different folder, enter it below or click "Browse". 


Folder: 

|C:\Program Files (x86)\ModSecurity IIS\ 



Install ModSecurity IIS for yourself, or for anyone who uses this computer: 


O Everyone 
Just me 

























ModSecurity IIS 


CD 


License Agreement 


modsecurity 


Please take a moment to read the license agreement now. If you accept the terms below, click "I 
Agree", then "Next". Otherwise click "Cancel". 


Apache License 

Version 2.0, January' 2004 

<http://www.apache.org/licenses/> 

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND 
DISTRIBUTION 

1. Definitions. 

in :__ii_4.___ a _ au : ___ a „~±: _ 

©I Do Not Agree @ I Agree 










































$ ModSecurity IIS 


CD 


Installation Complete 


modsecurity 


ModSecurity IIS has been successfully installed. 
Click "Close" to exit. 


Please use Windows Update to check for any critical updates to the .NET Framework. 




















' j Lister - [c:\inetpub\wwwroot\web.config] 

File Edit Options Encoding Help 

<?xml uersion="1.0" encodings ,, UTF-8 ,, ?> 
<configuration> 

<system.webSeruer> 

<ModSecurity enabled="true" configFile 
</system.webSeruer> 

</configuration> 
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100 % 


"c:\inetpub\wwwroot\test.conf" /> 


□IS 










File View Help 


Connections 


a 


GREGS17 (gregslAGre? 

|. U Application Pools 

A lS Sites 

* Qb Default Web Site 
aspnet_client 


m 


Ready 


% Application Pools 


This page lets you view and manage the list of application pools on 
the server. Application pools are associated with worker processes, 
contain one or more applications, and provide isolation among 
different applications. 


Filter: - flfiGo 

- ^ Show All 

1 Group by: 

5 

Name 

Status 

.NET Fra... 

Managed 

UASP.NET v4.0 

Start- 

v4.0 

Integ rater 

UASP.NET v4.0 Classic 

Start... 

v4.0 

Classic 

UCIassic .NET AppPool 

Start... 

v2.0 

Classic 


jU DefaultApp 0 ™^ 


Ctart 


xtA A 


U 


Add Application Pool... 

Set Application Pool Defaults... 


Features Vie £ Recycle... 


Basic Settings.. 
Rprvrlinn... 


Integ rater 


Actions 


U 


Application Pool 
Tasks 

► Start 
■ Stop 
£ Recycle... 

Edit Application 
Pool 

IlD Basic Settings... 
Recycling... 
Advanced Settings... 
Rename 

X Remove 

View Applications 
# Help 



Add Application 
Pool... 

Set Application Pool 
Defaults... 





























































o Event Properties - Event 0, ModSecurity 



General 


Details 


O Friendly XML View 

+ System 
- EventData 

ModSecurity for ES/2.7.0-rc2 (http://www.modsecurity.org/) 
configured. 


Coey 


Close 
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~/mod_security# ./configure 
~/mod_security# cd standalone 
~/mod_security/standalone# make 

~/nginx-1.2.0# ./configure --add- 
module=../mod_security/nginx/ 
modsecurity 

~/nginx-1.2.0# make 

~/nginx-1.2.0# make install 
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Cl Debian - Windows Virtual PC 

1=1 


Action ▼ Tools ▼ Ctrl+Alt+Del 




File: nginx.conf Line 38 Col 0 

2803 bytes 


45% 


server_name localhost; 


tfcharset koi8-r; 

#access_log logs/host.access.log main; 

location / { 
root html; 

index inHpy ^+^1 index htro; 

ModSecurityConfig /usr/local/nginx/conf/xss.conf; 
ModSecurityEnabled On; 


#error_page 404 Z404.html; 

U redirect server error pages to the static page /50x.html 
# 

error_page 500 502 503 504 Z50x.html; 


location 

root 

3 

= Z50x.html { 
html; 




EHelp BunWrapI 

BQuit KHex 

KLine E 

BsearchERaw 

BFormatuSQuit 
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C- Debian - Windows Virtual PC 


Action ▼ 

Tools ▼ Ctrl+Alt+Del 



File: error.log 

Line 2 Col 0 

8586 bytes 

181 


2012/06/26 01:41:29 [notice] 28716# 
2012/06/26 01:41:29 [notice] 28716# 
2012/06/26 01:41:29 [notice] 28716# 
2012/06/26 01:41:29 [notice] 28716# 
2012/06/26 01:41:29 [notice] 28717# 
2012/06/26 01:41:29 [notice] 28717# 
2012/06/26 01:41:29 [info] 28718#0: 
modsecurity.org/) configured. 
2012/06/26 01:41:29 [info] 28718#0: 
oaded version="1.4.2" 

2012/06/26 01:41:29 [info] 28718#0: 
oaded version="8.30 2012-02-04" 
2012/06/26 01:41:29 [info] 28718#0: 
2012/06/26 01:41:52 [info] 28718#0: 


28716#0 

28716#0 

28716#0 

28716#0 

28717#0 

28717#0 


nginx/1.2.0 

built by gcc 4.4.5 (Debian 4.4.5-8) 
OS: Linux 2.6.32-5-686 
getrlimit(RLIMIT_NOFILE): 1024:1024 
start worker processes 
start worker process 28718 


[info] 28718#0: ModSecurity for nginx/2.7.0-rc2 (http://www. 
ifigured. 

[info] 28718#0: ModSecurity: APR compiled version="l.4.5"; J 
1 1 

[info] 28718#0: ModSecurity: PCRE compiled version="8.30"; J 


2012/06/26 01:41:29 [info] 28718#0: ModSecurity: LIBXML compiled version= 2.7.7 
2012/06/26 01:41:52 [info] 28718#0: *1 /test/index.html, client: 127.0.0.1, serv 
er: localhost, request: "GET /test/index.html HTTP/1.0", host: "127.0.0.1" 
2012/06/26 01:41:52 [error] 28718#0: *1 open() "/usr/local/nginx/html/test/index 
.html" failed (2: No such file or directory), client: 127.0.0.1, server: localho 
st, request: "GET /test/index.html HTTP/1.0", host: "127.0.0.1" 

2012/06/26 01:41:52 [info] 28718#0: *1 client 127.0.0.1 closed keepalive connect 
ion 

2012/06/26 01:42:45 [info] 28718#0: *2 /test/ddd/../../index.html, client: 127.0 
.0.1, server: localhost, request: "GET /test/ddd/../../index.html HTTP/1.0" 
2012/06/26 01:42:45 [info] 28718#0: [client 127.0.0.1] ModSecurity: Naming. Pat 


EiJnHrap 

Euuit 

BHex 

KLine 

6 


Bsearch 

EiRaw 

BFormat 
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CVE-2011-3414 



Collisions in HashTable May Cause DoS Vulnerability 

A denial of service vulnerability exists in the way that 
ASP.NET Framework handles specially crafted requests, 
causing a hash collision. An attacker who successfully 
exploited this vulnerability could send a small number of 
specially crafted requests to an ASP.NET server, causing 
performance to degrade significantly enough to cause a 
denial of service condition. 
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' Lister - [d:\demo\payload] 

File Edit Options Encoding Help 



3QBZJK5ZX=SNEUQ7BliJAU6 = S6902DOVP6J = S9PZGHCDJVD = £NU73S3KNU = SIF686VJQJ8K = S9XUU * 
C JEEN J=SFX4A75F91 FM=&IG JKQUBZAUK=£L JU JU6 J3UZ=&X7G J5MUXY=&6AUIZIilTUK=&UQNIQ70 |T 
ZMS = SIM1UKMZHK6F=SD09UX2R9H = aRYLZSIQT8U = SKR9BBFUH2E=aUI8N4SlJUliJlil = STL5F6URUPP 
= SB 1 P81 FUDSUU = £CMGY80XSAO - £LE 72GBPUJB = £EEFMULEXC - £M6FKM 1 3UB-£MGN81 23XA2K-£ZM 
135GXHHN = SLXQQOH1 38LL = SXXST36DRX = £JRYRU54TFZ = £LGG3X9MFN 7 = £MH1NI402I22-£MHF I 
KIMQTEH-SBUPRUC Q4X3 =£RM6K 7U 75WZ = £SMIAE6PAL4 = £M0C GW 14ZU7-£I0JKKK0G7EN-£Q4B9U 
7L3UZ=a23URYU5B31=a9TRJE0XRIilQ=a3Q3LKPC2K0=aD3RCY8973E=aUGJPMCQHP=aRU6THUSCR 
7=aMH5SM8NPUB1=aP57KEP668X=a81C4LQ4DFY=aMPJBASYMRM=a25EUGNN5NE=aR1FFQRM5T=a 
28HUK0QHY= aHQN8TCEF80= aXNXKKGA26 = aHGKBTESRZ = ajRF6S5UDTD= a38LYMK6E25 = aLUJ9ZP 
MJKB=aMIIPJFF9IQZ=aT7NR6K1lUH=a32OX9ZI2EG=a6XOUR0M63Q=aQ30KI9EPH8=aMIH8YKJQ1 
GG=aN3E5 J Y88DU = £61CFHOI CK0 = £MJJ0BGBNFLR-£0UJWGKU5U41 = £GBALUUUD70-£UJP8RSB0F0I 
=aLXS45ETZC4U=a0ZPQL9FA5=aiXTRHULNN1=a8CM19ORQRL=a30AY63OK3E=aG6REPF004H=a3 
J3D3UNHON=aBZQFCAP6FDE=aHTHU3ALU7U=a2JS320Y1O1=aB0YC5TXNB1=aLNOJU48BS=aD07Z 
A81N0JU = aY5NYld0TNBliJ = aL1EQYKFQ66 = aGQQK1DliJ76C=aCQ29SZT9Q = a i *GR6HUU 1 473=aYGYUZBX 
2O=aDD8CT8BIP=aH1YT271ZUA=aJJBUT364HU=aNBQI03HG4=aAUOCATLKQ4=aCUXC3C6EX9=a8 
B0DP2UO0H=aLD0JAGD783=aiE8Z892OXU0=aiU8BODMF93=aJ5NU4WRJ3=aKSL8ADCBBS5=aPX4 
006YCEX = £5AC6 J6ZNE = £NPRUWDUUOBH = £T9 J3LGT5 7E = £B JPHHFU5R = £UP06AOG 7ZH = £2KNAKSU 
PP4=aU56TPL0PLB=aZS7GXLL58=aCDJSSBGKHG=aBZ0T9HXJU60=aNP37RNJXEMP=ai9GBUL4Z7 
HR = £U IXSRTUTK4 = £K JIUJ62MVC = £FP IUJC ZF J1 = £LTLGEOE 19 = £N A0KPUB6SZ = £KM9XU9HHD = £9RM 
F3TN2QG = £1 BAHABFZMD- £9bJ25U41 EF6-£IUUDHERY3T-£A0YWSYUHliJP-£1 ZCUQK1 S'YP = £5Q0BSC 
ERldS = £U0T80SU5KN = £DQ5PM ITM6 7 = £QG A2WU0N6 = £1UJT1 LRSW5-£QBLIU6KE7=£2RTX2E40J9-£ 
YJ20S0ZJBL- £FU 1 OMSK 7 7T = £4NP 7K9 A2UJG = a IEUJ 7806C QQB = £71 3BE9XHBU-£UJQDLRNYYUK-£UP ^ 

unnumn /?- oncuDMoro^r- oumincnirnT - OTTTConrjun- on^^MT7 

4 ImJ ► 
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ASP.NET: effectiveness 



1 dot * 3 CPU cores 

1 Gbit/s -» keep ~30k Core2 cores busy 
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RESTROOM CLOSED 
NO ENTRY 
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Mitigations 



• Restrict the request body size 

• Restrict the number of ARGS 

• Identify repetitive payloads 

• Check ARGS names against PoC data 

^There are ModSecurity rules for all four 
mitigations 
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' j Lister - [c:\inetpub\wwwroot\testconf] 

File Edit Options Encoding Help 100 % 

SecAuditLogStorageDir c:\temp 

# The index of all files created 

# VOU MUST NOT ALLOW NON-ROOT USERS TO WRITE 

# TO THE BASE FOLDER 
SecAuditLog c:\temp\index 

# Choose what to log I everything (default is ABCFHZ) 

SecAuditLogParts ABCDEFGHZ 

SecAuditEngine On 


SecRule SARGS ”@ge 1000" "chain,id:123H,phase:2,t:none,deny,msg:‘Possible Hash DoS Atti 
SecRule REQUEST.BODV "~\w*?= (.*?)£\w*?= ( .*?)a\w*?= ( .*?)S\w*?= ( .*?)&" "chain,ca 
SecRule TX:1 "Qstreq %{tx.2}" "chain,setuar:tx.hash_dos_match=+1"L 

SecRule TX:2 "Qstreq %(tx.3}" "chain,setuar:tx.hash_dos_match=- 
SecRule TX:3 "Qstreq %{tx.H}" "chain,setuar:tx.hash_do 
SecRule TX:HASH DOS MATCH "@eq 3" 


ttSecRule ARGS_NAMES "UpmFromFile hash_dos_param_names.txt" "phase:2, t:none,block,msg: *l-| = | 


Q 

black rat 


USA 2011 










Event Properties - Event 0, ModSecurity 


General Details 


(§) Friendly © XML View 

+ System 

* 

- EventData 

[client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). 
Operator EQ matched 3 at TX:hash_dos_match. [file 
"c:\inetpub\wwwroot\test.conf"] [line "41"] [id "1234"] [msg "Possible 

Hash DoS Attack Identified."] [tag 

"http://blogs.technet.com/b/srd/archive/2011/12/27/more- 

information-about-the-december-2011-asp-net-vulnerability.aspx? 

Redirected=true"] [hostname "GREGS17"] [uri 7default.htm"] 

[uniquejd "18302628887781180653"] 

w 


Cocy 


Close 
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CVE-2012-1859 


• A classic case of cross-site scripting 
vulnerability 


http://sharepoint/_layouts/scriptresx.ashx?culture=en 

us&name=SPJSGrid.Res&rev=laygpE0lqaosnkB4iqx6m 

A%3D 

%3D&sections=AII<SCRIPT>ALERT('HACKED! !!')</ 
SCRIPT>z 
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Firefox 


H0E 







Hacked! 1 ! 



OK | 




Transferring data from windows-2dk2zvw... 





n 
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OH SHIT 

THERES NO ESCAPE 
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CVE-2012-1859 


Blacklist approach: 

SecRule REQUEST_FILENAME "©contains /_layouts/ 
scriptresx.ashx" "chain,phase:1,block,msg:’XSS 
Attempt Against SharePoint" 


SecRule ARGS:sections "@pm < > ( ) ; 

Whitelist approach: 

SecRule REQUEST_FILENAME "©contains /_layouts/ 
scriptresx.ashx" "chain,phase:1,block,msg:’SharePoint 
Sections Param Violation - Illegal Chars" 

SecRule ARGS:sections "!@rx A \w+$" 
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Event Properties - Event 0, Mod Security 


General Details | 

(* Friendly View C XML View 


+ System 
• EventData 


d 


[client 127.0.0.1] ModSecurity: Access denied with code 403 
(phase 1). Match of "rx A \\w+$" against "ARGS:sections" required, 
[file ”c\inetpub\wwwroot\test.conf'] [line "23"] [id "1234"] [msg 
"SharePoint Sections Param Violation - Illegal Chars"] [hostname 
"WINDOWS-2DK2ZVW"] [uri "/Jayouts/scriptresx.ashx? 
culture=en- 

us&name=SP.JSGrid.Res&rev=laygpE0lqaosnkB4iqx6mA%3D% 
3D&sections=AII%3Cscript%3Ealert(%27Hacked!!!%27)% 
3C/script%3Ez"] [uniquejd "16429131442795053181"] 


c°ey 


Close 
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Download RC2 Now 

• Pi ' k 8T r * f; t 1 If 


\ UL 


http://sou rceforge.net/projects/mod- 
securitv/files/modsecurity-apache/2.7.0-rc2/ 


• http://sou rceforge.net/projects/mod- 

securitv/files/modsecurity-iis/2.7.0-rc2/ 

ModSecurityllS 2.7.0-rc2.msi 
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New Protections Coming 


Microsoft Security Response Center will start 
publishing ModSecurity rules for 
vulnerabilities in Microsoft products 


IIS/ASP/ASP.NET specific ModSecurity rule 
sets will be created by community effort 
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Resources 


* » i t 



• ModSecurity home page 

- http://www.modsecuritv.org/ 

• OWASP Core Rule Set for ModSecurity 

- https://www.owasp.org/index.php/ 

Categorv:OWASP ModSecurity Core Rule Set Project 

• MSRCblog 

- http://blogs.technet.eom/b/srd/ 

• Trustwave SpiderLabs blog 

- http://blog.spiderlabs.com/ 

• Trustwave Commercial Rule Set for ModSecurity 

- https://www.trustwave.com/modsecuritv-rules-support.php 
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Contributors 
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• Microsoft - ModSecurity Port for IIS 

— Greg Wroblewski - Senior Security Developer 

- Suha Can - Security Researcher / Developer 

• Trustwave - ModSecurity 

— Ziv Mador - Director of Security Research 

- Ryan Barnett-Security Researcher Lead 

- Breno Pinto - ModSecurity Researcher & Developer 

• Open community - Security Port for Nginx 

— Alan Silva - Software Engineer at Alcatel-Lucent 
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